Jake Archibald jakearchibald.com

What happens when packages go bad?  ↦

See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples.

Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, …

It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.


Discussion

Sign in or join to comment

0:00 / 0:00